CVE-2025-21664 (GCVE-0-2025-21664)

Vulnerability from cvelistv5 – Published: 2025-01-21 12:18 – Updated: 2025-11-03 20:58
VLAI?
Title
dm thin: make get_first_thin use rcu-safe list first function
Summary
In the Linux kernel, the following vulnerability has been resolved: dm thin: make get_first_thin use rcu-safe list first function The documentation in rculist.h explains the absence of list_empty_rcu() and cautions programmers against relying on a list_empty() -> list_first() sequence in RCU safe code. This is because each of these functions performs its own READ_ONCE() of the list head. This can lead to a situation where the list_empty() sees a valid list entry, but the subsequent list_first() sees a different view of list head state after a modification. In the case of dm-thin, this author had a production box crash from a GP fault in the process_deferred_bios path. This function saw a valid list head in get_first_thin() but when it subsequently dereferenced that and turned it into a thin_c, it got the inside of the struct pool, since the list was now empty and referring to itself. The kernel on which this occurred printed both a warning about a refcount_t being saturated, and a UBSAN error for an out-of-bounds cpuid access in the queued spinlock, prior to the fault itself. When the resulting kdump was examined, it was possible to see another thread patiently waiting in thin_dtr's synchronize_rcu. The thin_dtr call managed to pull the thin_c out of the active thins list (and have it be the last entry in the active_thins list) at just the wrong moment which lead to this crash. Fortunately, the fix here is straight forward. Switch get_first_thin() function to use list_first_or_null_rcu() which performs just a single READ_ONCE() and returns NULL if the list is already empty. This was run against the devicemapper test suite's thin-provisioning suites for delete and suspend and no regressions were observed.
Severity ?
No CVSS data available.
Assigner
Impacted products
Vendor Product Version
Linux Linux Affected: b10ebd34cccae1b431caf1be54919aede2be7cbe , < ec037fe8c0d0f6140e3d8a49c7b29cb5582160b8 (git)
Affected: b10ebd34cccae1b431caf1be54919aede2be7cbe , < cd30a3960433ec2db94b3689752fa3c5df44d649 (git)
Affected: b10ebd34cccae1b431caf1be54919aede2be7cbe , < 802666a40c71a23542c43a3f87e3a2d0f4e8fe45 (git)
Affected: b10ebd34cccae1b431caf1be54919aede2be7cbe , < 12771050b6d059eea096993bf2001da9da9fddff (git)
Affected: b10ebd34cccae1b431caf1be54919aede2be7cbe , < 6b305e98de0d225ccebfb225730a9f560d28ecb0 (git)
Affected: b10ebd34cccae1b431caf1be54919aede2be7cbe , < cbd0d5ecfa390ac29c5380200147d09c381b2ac6 (git)
Affected: b10ebd34cccae1b431caf1be54919aede2be7cbe , < 80f130bfad1dab93b95683fc39b87235682b8f72 (git)
Create a notification for this product.
    Linux Linux Affected: 3.15
Unaffected: 0 , < 3.15 (semver)
Unaffected: 5.4.290 , ≤ 5.4.* (semver)
Unaffected: 5.10.234 , ≤ 5.10.* (semver)
Unaffected: 5.15.177 , ≤ 5.15.* (semver)
Unaffected: 6.1.125 , ≤ 6.1.* (semver)
Unaffected: 6.6.72 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:58:40.356Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/dm-thin.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ec037fe8c0d0f6140e3d8a49c7b29cb5582160b8",
              "status": "affected",
              "version": "b10ebd34cccae1b431caf1be54919aede2be7cbe",
              "versionType": "git"
            },
            {
              "lessThan": "cd30a3960433ec2db94b3689752fa3c5df44d649",
              "status": "affected",
              "version": "b10ebd34cccae1b431caf1be54919aede2be7cbe",
              "versionType": "git"
            },
            {
              "lessThan": "802666a40c71a23542c43a3f87e3a2d0f4e8fe45",
              "status": "affected",
              "version": "b10ebd34cccae1b431caf1be54919aede2be7cbe",
              "versionType": "git"
            },
            {
              "lessThan": "12771050b6d059eea096993bf2001da9da9fddff",
              "status": "affected",
              "version": "b10ebd34cccae1b431caf1be54919aede2be7cbe",
              "versionType": "git"
            },
            {
              "lessThan": "6b305e98de0d225ccebfb225730a9f560d28ecb0",
              "status": "affected",
              "version": "b10ebd34cccae1b431caf1be54919aede2be7cbe",
              "versionType": "git"
            },
            {
              "lessThan": "cbd0d5ecfa390ac29c5380200147d09c381b2ac6",
              "status": "affected",
              "version": "b10ebd34cccae1b431caf1be54919aede2be7cbe",
              "versionType": "git"
            },
            {
              "lessThan": "80f130bfad1dab93b95683fc39b87235682b8f72",
              "status": "affected",
              "version": "b10ebd34cccae1b431caf1be54919aede2be7cbe",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/dm-thin.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.15"
            },
            {
              "lessThan": "3.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.290",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.290",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.125",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.72",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm thin: make get_first_thin use rcu-safe list first function\n\nThe documentation in rculist.h explains the absence of list_empty_rcu()\nand cautions programmers against relying on a list_empty() -\u003e\nlist_first() sequence in RCU safe code.  This is because each of these\nfunctions performs its own READ_ONCE() of the list head.  This can lead\nto a situation where the list_empty() sees a valid list entry, but the\nsubsequent list_first() sees a different view of list head state after a\nmodification.\n\nIn the case of dm-thin, this author had a production box crash from a GP\nfault in the process_deferred_bios path.  This function saw a valid list\nhead in get_first_thin() but when it subsequently dereferenced that and\nturned it into a thin_c, it got the inside of the struct pool, since the\nlist was now empty and referring to itself.  The kernel on which this\noccurred printed both a warning about a refcount_t being saturated, and\na UBSAN error for an out-of-bounds cpuid access in the queued spinlock,\nprior to the fault itself.  When the resulting kdump was examined, it\nwas possible to see another thread patiently waiting in thin_dtr\u0027s\nsynchronize_rcu.\n\nThe thin_dtr call managed to pull the thin_c out of the active thins\nlist (and have it be the last entry in the active_thins list) at just\nthe wrong moment which lead to this crash.\n\nFortunately, the fix here is straight forward.  Switch get_first_thin()\nfunction to use list_first_or_null_rcu() which performs just a single\nREAD_ONCE() and returns NULL if the list is already empty.\n\nThis was run against the devicemapper test suite\u0027s thin-provisioning\nsuites for delete and suspend and no regressions were observed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:18:30.814Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ec037fe8c0d0f6140e3d8a49c7b29cb5582160b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd30a3960433ec2db94b3689752fa3c5df44d649"
        },
        {
          "url": "https://git.kernel.org/stable/c/802666a40c71a23542c43a3f87e3a2d0f4e8fe45"
        },
        {
          "url": "https://git.kernel.org/stable/c/12771050b6d059eea096993bf2001da9da9fddff"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b305e98de0d225ccebfb225730a9f560d28ecb0"
        },
        {
          "url": "https://git.kernel.org/stable/c/cbd0d5ecfa390ac29c5380200147d09c381b2ac6"
        },
        {
          "url": "https://git.kernel.org/stable/c/80f130bfad1dab93b95683fc39b87235682b8f72"
        }
      ],
      "title": "dm thin: make get_first_thin use rcu-safe list first function",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21664",
    "datePublished": "2025-01-21T12:18:19.015Z",
    "dateReserved": "2024-12-29T08:45:45.732Z",
    "dateUpdated": "2025-11-03T20:58:40.356Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…